Difference between revisions of "Belgian ePassport"
Jump to navigation
Jump to search
m (→RFIDIOt) |
|||
| Line 85: | Line 85: | ||
====[http://jmrtd.org/ JMRTD]==== |
====[http://jmrtd.org/ JMRTD]==== |
||
Java host API & Javacard applet to build your own epassport infrastructure |
Java host API & Javacard applet to build your own epassport infrastructure |
||
| − | ==== |
+ | ====RFIDIOt==== |
| + | See [[RFID]] |
||
| − | apt-get install python-pyscard |
||
| − | $ ./mrpkey.py -L |
||
| − | PCSC devices: |
||
| − | No: 0 OMNIKEY CardMan 5x21 00 00 |
||
| − | No: 1 OMNIKEY CardMan 5x21 00 01 |
||
| − | $ ./mrpkey.py -r 1 CHECK |
||
| − | mrpkey v0.1n (using RFIDIOt v0.1s) |
||
| − | Reader: PCSC OMNIKEY CardMan 5x21 00 01 |
||
| − | Device is a Machine Readable Document |
||
| − | $ ./mrpkey.py -r 1 "EXnnnnnn<cBELyymmddcSyymmddc<<<<<<<<<<<<<<cc" |
||
| − | To fix reader number, edit RFIDIOtconfig.py |
||
| − | <br>In MRZ passport number is coded with 9 chars. Belgian uses only 8 chars so some passport readers need a document number padded with char "<" ("EXnnnnnn<") |
||
| − | To use mrpkey under Windows you need: |
||
| − | * [http://www.python.org/download/ python] |
||
| − | * [http://sourceforge.net/projects/pyscard/ pyscard] |
||
| − | * [http://sourceforge.net/projects/pyserial/ pyserial] |
||
| − | * [http://sourceforge.net/project/showfiles.php?group_id=78018 pywin32] |
||
| − | * [http://www.voidspace.org.uk/python/modules.shtml#pycrypto pycrypto] |
||
| − | * [http://www.pythonware.com/products/pil/ python imaging library] |
||
====[http://www.dexlab.nl/ eCL0WN]==== |
====[http://www.dexlab.nl/ eCL0WN]==== |
||
Applet for Nokia NFC phone |
Applet for Nokia NFC phone |
||
Revision as of 00:01, 29 January 2009
Back to Belgian eGov
Belgian ePassports
Characteristics
- Current versions demo
- Uses Opentrust PKI (former IDX-PKI from idealx)
- Price:
- 30€ droit de chancellerie
- taxes communales (Ixelles=26€, Leuven=11€?,...)
- 41€ frais de confection
- Much more expensive if urgent or 64 pages (~250€)
- maker? at least not Zetes (contradictory info here)
Mais nous ne fabriquons pas le passeport belge, c’est vrai. C’est un contrat qui a été attribué avant que nous ne soyons actifs sur ce segment. S’il y a un appel d’offres, j’imagine que nous y répondrons.
chip
- ATR 3B 8E 80 01 80 91 E1 31 C0 64 77 E3 03 00 83 82 90 00 6C
- ATR 3B 8E 80 01 80 91 91 31 C0 64 77 E3 03 00 83 82 90 00 1C (as mentioned in pcsc-lite smartcard_list.txt)
- Belgium is one rare country to also include the owner handwritten signature, in EF_DG7
- Non-compliances?
- Requires option 0x0C whenever you select the application or a file (important for non-BAC passports), usually other passports implement 7816-4 a bit better and accept the standard select_file but apparently Belgium just implemented the example of LDS just as it was presented, no more)
- non-BAC passports have a bug in EF_DG11, in full name of holder (tag 5F0E): null length followed by "A0 06 02 01 01"
- newer passports have a bug in EF_DG12, using tag 5F85 instead of 5F55 for the document issuance timestamp (5F85 is in LDS1.7, 5F55 is in ISO standard)
- Reading the DS certificate in EF_SOD (output truncated):
openssl pkcs7 -text -print_certs -in EF_SOD.PEM
Authority:
Issuer: C=BE, O=Kingdom of Belgium, OU=Federal Public Service Foreign Affairs Belgium, CN=CSCAPKI_BE
Subject: C=BE, O=Kingdom of Belgium, OU=Federal Public Service Foreign Affairs Belgium, CN=DSPKI_BE
X509v3 extensions:
X509v3 Authority Key Identifier:.
keyid:00:84:19:14:B2:CE:7E:0A:DE:3A:26:F9:FD:DD:1F:F4:01:42:A8:0E
Security of Belgian ePassports
- http://www.theregister.co.uk/2007/06/10/belgian_epassport_flaws/
- http://www.dice.ucl.ac.be/crypto/passport/index.html
RFID-enabled Passports
ICAO standards
- ICAO MRTD
- ICAO9303-pt1-vol1.pdf
- ICAO9303-pt1-vol2.pdf
- ICAO9303-pt3.pdf
- Supplement to ICAO Doc 9303 - Release_7
- LDS 1.7
Country certificates
Stupid script to see what are the country certificates there (there are also CRLs):
#!/bin/bash
rm xx*
csplit pkd.000033.ldif '%userCertif%' '/^userCertif/' '{*}'
for i in xx*; do
cat $i |sed '1s/^.*:://;/:/,/qwerty/d' |openssl base64 -d|openssl x509 -inform der -out $i.pem -outform pem
cat $i |sed '1s/^.*:://;/:/,/qwerty/d' |openssl base64 -d|openssl x509 -inform der -text -noout > $i.txt
test $? -eq 0 && rm $i
done
As per epassport2008 there are several certificates for the full EAC solution:
Element File name CSCA certificate - name NN_CSCA.der (.der, .cer) DS certificate NN_DS (.der, .cer) preferably included in the ePassport chip CVCA certificate NN_CVCA.cvcert (minimal validity at least 2 month) CVCA private key under PKCS#8 format NN_CVCA.pkcs8 DV certificate NN_DVCA.cvcert (effective date like CVCA certificate) IS certificate NN_IS.cvcert (effective date like CVCA certificate) IS private key under PKCS#8 format NN_IS.pkcs8
Security of the ePassport infrastructure
- On Exploiting ePassport Vulnerabilities (about PKI)
- So what’s the issue with ePassport security?
- Hello, my name is ...
- E-passport security
- Fingerprinting passports via their non-standard error codes
Tools
OpenMRTD
library
JMRTD
Java host API & Javacard applet to build your own epassport infrastructure
RFIDIOt
See RFID
eCL0WN
Applet for Nokia NFC phone
vonJeek emulator
Misc
- Protective sleeves & wallets shielding RFID stuff like ePassports